Automated Logic WebCTRL

MonitorCVSS 5.2ICS-CERT ICSA-22-109-02Apr 19, 2022

Johnson Controls

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A CWE-601 (URL Redirect to Untrusted Site) vulnerability exists in Automated Logic WebCTRL Server versions prior to 7.0. Successful exploitation could allow an attacker to redirect a user to a malicious webpage or trick them into downloading a malicious file through social engineering. No known public exploits currently target this vulnerability. The vulnerability affects all WebCTRL Server versions below 7.0 with no fix available through the normal channel; however, users can contact an Automated Logic dealer for instructions to download the latest version.

What this means

What could happen

An attacker could craft a malicious link or attachment within WebCTRL that tricks a user into visiting an attacker-controlled website or downloading a malicious file, potentially leading to credential theft or malware infection on systems with access to the control system.

Who's at risk

Building automation managers and operators at water authorities, municipal utilities, and other facilities using Johnson Controls Automated Logic WebCTRL for HVAC and facility management control are affected. This is particularly relevant for organizations where WebCTRL integrates with or runs on the same network as critical operational systems.

How it could be exploited

The attacker crafts an open redirect or downloads a malicious link/file, then uses social engineering to trick a WebCTRL user (typically an operator or administrator) into clicking the malicious link or opening the file via email or web interface. The redirect could send the user to a phishing page or malware distribution site.

Prerequisites

User must be logged into WebCTRL
User must click a malicious link or accept a file download via social engineering

low complexityuser interaction required (social engineering)affects administrative systems with potential lateral movement risk

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

WebCtrl Server: All<7.07.0

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDAdd Content-Security-Policy (CSP) meta tag to index.htm files in all <install_dir>/webroot/_common/lvl5/help/* directories to restrict redirect targets and script execution

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebCTRL Server to version 7.0 or later

Long-term hardening

0/1

HARDENINGConduct security awareness training for operators and administrators on recognizing phishing links and social engineering tactics

CVEs (1)

CVE-2022-1019

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d41270b-ba70-4d17-8a56-13717b138a8c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.